My Lords, it is a pleasure to follow the noble Baroness and, indeed, my noble friend Lord Clement-Jones. Their commentary on the process so far is quite damning. I share my noble friend’s fear that this is in danger of selling short what is an important aim of creating a viable data bridge between these two jurisdictions.
I am not going to go over the process; I will pick out a number of points from what I think is the right Explanatory Memorandum but may, of course, be the wrong one. I am acting in good faith; I think I picked it up from the table at the right nanosecond when the correct document was there.
Paragraph 7.2 of the EM says:
“DSIT officials have been working closely with counterparts in the US”.
Paragraph 25 of the Secondary Legislation Scrutiny Committee’s report says that DSIT told the committee:
“The US does not have a comprehensive data protection framework”.
The report points out, as noble Lords have said, that this framework tends to be based on a sector or state- level requirement. So who are the counterparts that DSIT talked to? There are no counterparts equivalent to DSIT who can have that competent conversation.
In practice, can they know that the treatment of data will be the same in California as it will be in Florida? If they know the answer to that question, how do they know it—who did they talk to in order to gain that information? It seems to me that the complications of data in the United States are not reflected in the Explanatory Memorandum in my hand.
That is the first point. Moving on, if you look at paragraph 7.6 in the Explanatory Memorandum, you see that it is very clear that this is a self-certifying annual process. Self-certifying is another word for ticking boxes. So, once again, how can the department be sure that this process is being properly dealt with and monitored? When we come to the enforcement of this self-certification process, is it the Department of Commerce that will be checking that this self-certification has happened? Will it be the state legislatures? Who will be the bodies in charge of this self-certification? Will there be an annual report, so we know that all these bodies are certified? Indeed, if I am giving my data to a particular organisation that is then sending that information across the United States, how do I know that that process is properly certified? It seems that these are good words but, unless they are backed up with a system and a process, they are to all intents and purposes meaningless.
The next point is picked up in paragraph 7.12 of the Explanatory Memorandum, where we talk about processors and transfers, and people in the United States who are
“indicated on the Data Privacy Framework List as participating in”
this bridge. If there is a violation from an organisation in the United States that is picked up by the Information Commissioner in the United Kingdom, what happens next? Who does what, in terms of prosecuting the organisation in the United States for wrongfully dealing with that data? Who is liable? At a corporate level, where is this dealt with? Is there some sort of corporate veil to the US company which means that the UK company is not liable? How in companies law will this operate? It seems to me that there is not the information here to answer those questions and I wonder, frankly, whether they have actually been considered.
It is quite clear that this could not have happened without the hard work and endless negotiation of the EU-US group. This rides on the back in a rule-taking process that I suppose we are going to have to get used to as things go forward. My noble friend’s point about Schrems is very true; Schrems III is coming soon, so what will the Government’s position be if it finds against the EU part of this bridge? Will we also automatically cancel the bridge? How does that then affect companies that have already transferred their data and made that decision?
There are couple of ancillary questions which are, I guess, slightly off the wall. There is an industry in this country that involves having servers and creating a UK-based server place as a safe harbour for British data. I assume the department has done an analysis of the industrial effect on those servers, because clearly many of them will be no longer needed, and data can be sent back to the United States rather than living in what are euphemistically called “clouds” but are actually server farms in the United Kingdom.
I have a final question. As the Minister knows, political parties tend to knock on doors, collect data and put that data into databases. Can he tell us what the position is on electoral databases in terms of using US-based servers to retain that data? At the moment, that is not done. Will political parties be able to move that data from servers in this country to perhaps their counterparts, assistants or supporters in the United States, in order to do analysis, targeting and whatever, or do the current rules of safe harbour still exist for electoral data?
7 pm